Archive for November, 2007

Deployment tips for enterprise rights management

If you are evaluating or deploying data loss prevention or enterprise rights management technologies, here are some tips we have collected while helping organizations over the past few years. This particular list covers a deployment that spans internal and external users, such as a corporate board book for public companies with a board of directors.

- How will non-employee participants authenticate? Organizations today use LDAP or Active Directory to internally authenticate users. For your non-employee board members, or accountants, partners, or customers – they will also need some form of authentication to your organization. This could also be LDAP, or even stronger security with a one-time-password (OTP) token or a public key infrastructure (PKI)-based smartcard or USB token. Alternatively, we have seen many organizations build their own authentication system using a relational database. Whatever mechanism you choose, make sure that it can tie into your rights management engine directly or through a service provider interface and that the policy server is able to create a single policy that contains participants from multiple directories. That way, a protected document is able to be exchanged seamlessly across the organizational boundary. Beware of encryption/rights management systems that are only tied to an internal or external email address and not another unique identifier. Otherwise, when Joe Smith (jsmith@domain) leaves and Jane Smith (jsmith@domain) joins – Jane could open Joe’s old documents simply because the email address was recycled.

- How will external participants access your network? One option is to set up an IPSEC VPN for remote users to have internal access to authorized servers – including the content repository and the rights management server. Alternatively, SSL VPN is another lighter weight option. If the web service for rights management is available externally, it’s important to utilize account lockout features for potential brute force and denial of service attacks.

- How will protected documents be stored/delivered? Today, many file servers, portals, and content management systems are already providing storage level security and file access control. However, once the document leaves the virtual file cabinet, it loses those controls and subsequent auditing – unless the files are protected with enterprise rights management. Large organizations have numerous vendors and versions of content management systems, portals, and file servers. If files are to be exchanged across business units or divisions, it’s important that rights management system is independent of any one content management system. Note that some vendors are attempting to use rights management as a way to lock in a whole suite of products together across the desktop and server, so look for flexibility and integration options. Once the files are protected, distribution should be possible via web, file shares, email, CD/DVD, and USB storage so as not to disrupt the workflow participants existing process using those methods. Rights management provides protection independent of storage and transport. If a protected file ends up somewhere it shouldn’t, the built-in protections still enforce access.

- Protect files inbound or outbound? Identify whether you want the source files in the repository to be rights managed and/or only the copies. Look for a rights management system that can apply rights automatically as documents are entered into a repository and apply rights only as documents are copied out of the repository. There are pros/cons of each, so it really depends on your workflow and deployment goals. For instance, if all your inbound files are protected – you have extra encryption at the file level, should the repository be compromised. The challenge is that not all search systems may be able to index a protected file. Further, if you need to change rights management systems, you will have a lot of files to convert. Outbound protection can automatically encrypt files as they are being requested from the repository, leaving the original files untouched. This facilitates searching and flexibility in rights management deployment. A hybrid approach is to store one version of the file unencrypted in its source form and also automatically create a rights managed copy for external distribution outside the repository.

- How will you classify your documents? It is important to have an information classification system to create a list of policies with corresponding users and groups. If you have too many policies, it will be difficult for individuals or even automated systems to determine what policy should be applied. This article provides additional recommendations on setting up information classification.

- How will you identify sensitive documents? Once the documents are assigned a policy, it is important to mark those documents with the policy. This can be done either as part of the original source document template, part of a document stamping procedure on the server, or through a dynamic watermark on the document as applied by the enterprise rights management system. With the dynamic watermark, the policy can change on the document as well as provide additional information in the visible watermark such as the viewer’s name, email address, and/or date/time viewed. If the document then ends up somewhere it shouldn’t, you have a detective control to trace the source of unauthorized distribution.

- How will authorization lists be maintained? A rights management policy needs to identify users or groups as authorized recipients. While users can be manually maintained in a policy, more dynamic organizations should look at groups and external authorization capabilities. For example, a group referenced by the rights management server could tie to an existing mailing list, or fileserver access list. HR systems can be configured to automatically populate directory groups based on reporting structure, so a “legal-all” group can dynamically include the entire legal department – even as employees join and leave the organization. Authorization within a content management system or custom system can be integrated to a policy definition through a service provider interface.

- What are your end-user software limitations? Some document protection mechanisms require additional desktop software to be deployed and others do not. Most IT organizations are looking to limit the management of software they deploy internally. This can make it difficult to deploy rights management to the desktop, especially when exchanging files outside your organization – if additional software is required to open the document. Verify whether the security software requires administrative rights on the system and the compatibility with operating system vendors and versions. Adobe has integrated security natively into PDF as supported by Adobe Acrobat and Reader 7.0 and higher on Mac, Windows, and Linux platforms. The native enterprise rights management capabilities are utilized via webservice calls to the Adobe LiveCycle Rights Management server, so no additional software is required by recipients to view the protected document. Adobe has partnered with other IT providers to include rights management in their native applications and supported formats, such as PTC, Hitachi/Lattice3D and multi-function peripheral vendors like Ricoh. Adobe also provides plug-ins for Microsoft Office and Dassault CATIA native file formats so rights management policies can be consistently applied across a variety of applications and formats.

- How will your users be trained? Once a system is deployed, it’s important for users to be trained on its use, including which policies to use on which applications and file formats under which circumstances. Options range from instructional text on employee portals, to doorhanger and poster campaigns, to mandatory online training classes.

- How will your system scale? With an increasing number of employees, partners, and customers accessing sensitive information– it’s important that your enterprise rights management system will scale to meet the needs of the growing community. Look for high availability systems that support J2EE clustering (eg WebLogic, WebSphere, JBoss) and scalable databases (Oracle, DB2, SQLServer, MySQL).

- Will your administrators become insiders? If an administrator has access to sensitive information, that could make them an insider – depending on the content. While deploying an enterprise rights management system, look for segregation of duties where different administrators have access to different systems. For instance, one administrator may manage the repository of sensitive board book documents but another administrator manages the enterprise rights management server. Neither administrator would individually be able to view a sensitive document because access to the document and authorization to open it are both required.

- What will you do when policies are broken? After deploying enterprise rights management, you will find an increase in policy violations. This includes internal and external people opening protected documents without access rights and watermarked documents found in unauthorized places. A strong communication and non-disclosure policy should be in place to address violations. Further, if violations require notification of law enforcement – be prepared to answer whether your compromised information was marked as confidential, whether the recipients knew what your confidential information classification policies are, whether the information was protected with information security, and has a quantifiable value to it.

These tips coupled with enterprise rights management, such as Adobe LiveCycle Rights Management, provide added assurances that your intellectual property and personally identifying information is protected and the corresponding policies/laws are more enforceable.

NEC BIGLOBE offering Adobe’s rights management as a service

Adobe and NEC BIGLOBE recently announced a new enterprise enterprise rights management software as a service (SaaS) offering for the Japanese market. This service is designed for organizations seeking to strengthen their internal controls and mitigate risk of disclosing confidential or personally identifying information.

NEC BIGLOBE is an application service provider (ASP) offering Adobe LiveCycle ES Rights Management to dynamically control protected documents inside and outside an organization. Organizations can quickly and easily deploy this technology by utilizing the hosting and integration capabilities offered by NEC BIGLOBE.

Adobe’s history of content protection

Every once in a while, someone asks “How long has Adobe offered content protection?” Turns out, Adobe’s information assurance efforts have been ramping up for over a dozen years. Adobe provides security features in numerous products and also provides dedicated security solutions such as LiveCycle Digital Signatures and LiveCycle Rights Management. Here’s a brief history:

Adobe’s history of content protection started with Acrobat 2.0 in 1994. At the time, this was simple 40-bit RC4 password-based encryption and digital rights management (DRM) to restrict who can open the document and what they can do with it.

Acrobat 4.0 in 1999 added support for Public Key Infrastructure (PKI) enabling a single PDF document to be protected for multiple recipients, with different permissions based on their own keypair. Depending on who opened the document, printing, modification, and clipboard actions are enabled/disabled. This release was also the first to add digital signatures using PKI. This was important for paper documents to move to digital with an opportunity for higher levels of assurance than a pen could provide on paper with a wet signature (ink) by utilizing cryptographic protections of authenticity, integrity, and non-repudiation. Acrobat 5.0 added support for 128-bit RC4 encryption for stronger levels of confidentiality. Acrobat 6.0 added support for the Microsoft CryptoAPI to (CAPI) so the keypair could be stored in the Windows certificate store or through a Crypto Service Provider (CSP) to smartcards and other tokens.

In 2005, Acrobat and Reader 7.0 shipped along with LiveCycle Policy Server and Security Server. AES128 encryption was added to PDF. The enterprise rights management capabilities of Policy Server integrate with an organization’s LDAP or Active Directory. A policy coupled with an information classification such as “Insider Restricted” restricts who can open the document, what they can do with it, and also provides enterprise auditing measures. Absolute (e.g. on 12/31) and relative (e.g. 7 years from document creation) expiration dates can be set to automatically expire documents. All these permissions in a policy are dynamic and can change after the document is published – to add or delete users, change permissions, or even revoke the document entirely. This revocation feature is used by many to enable version control outside a repository, so as a document is changed on the server all distributed copies of that document are automatically revoked providing the recipient with a notification to go back to the server for a current version. Visual watermarking capabilities on PDF are able to show the policy name, recipient opening the document, and the date/time. Acrobat and Reader 7.0 were also US Department of Defense (DoD) certified by the Joint Interoperability Test Command (JITC). The LiveCycle Security Server provided the ability to apply and validate digital signatures as well as encrypt and decrypt document in an automated business process. Flash Media Server 2 provided protected streaming capabilities for delivering video to Flash Player.

As we wrap up 2007, there has been a lot going on over the last 12 months. Acrobat, Reader, and LiveCycle shipped with new FIPS 140 approved encryption libraries. LiveCycle Rights Management (formerly Policy Server) now supports native Microsoft Office documents as well as Dassault CATIA. LiveCycle Digital Signatures (formerly Security Server) provides XML signature support as well as certified documents and is integrated with automated forms and document generation processes. Adobe’s rights management has been integrated into hardware devices such as Multi Function Peripherals (MFPs) from Ricoh and others. Third party software vendors including PTC and Hitachi/Lattice3D are integrating Rights Management into their native applications. Adobe Media Player is in public pre-release with support for content protection on downloadable and offline Flash video.

What about 2008 and beyond? Stay tuned for more entries as Adobe’s security solutions expand to protect even more aspects of the information lifecycle – independent of storage, independent of transport, across operating systems and file formats.

Data Loss Prevention and Enterprise Rights Management

Data Loss Prevention (DLP) has been a hot topic lately based on increased intellectual property and personally identifying information (PII) leaks. A number of vendors are offering desktop and server systems to monitor traffic and determine whether sensitive content is going somewhere it shouldn’t. It’s like a reverse firewall – instead of keeping malicious outside traffic from coming in, it’s keeping malicious inside traffic with sensitive information from going out.

The challenge with these systems is that a very complex rule set needs to be developed to determine whether the content is sensitive and authorized to be delivered from the sender to the recipient. While searching for credit card and social security numbers can be easy, documents such as product strategies, CAD drawings, intraquarter finances, and board of director minutes can be much more difficult to track.

Implementing an information classification system is a critical step in any kind of information assurance initiative. If you don’t know what your sensitive information is, it’s difficult to protect it and determine who the authorized recipients are.

If you’re considering host and/or network based DLP, you may want to consider an extension or alternative by deploying enterprise rights magagement (also known as information rights management – IRM, or even digital rights management – DRM). One such product is Adobe LiveCycle Rights Management (formerly Policy Server)

Enterprise rights management provides persistent protection across data in storage and data at rest, inside and outside an organization. You aren’t limited to protections from access controls on a content management system or portal that only protect the document inside the virtual file cabinet. You aren’t limited to VPN, SSL, or S/MIME secure email sessions that only protect the content in transport. You also aren’t limited to protecting only your end-points, this technology provides persistent access control at the file level – no matter where the file goes or how it got there. A protected file is controlled by a server based policy rule which determines whether the authenticated recipient is allowed to view the document. Further, application level permissions can restrict what an authorized viewer can do with the document – such as printing, modifying, and copy & paste clipboard functions.

Adobe’s LiveCycle Rights Management solution provides dynamic policies which can change after a document has been published and distributed. If a previously authorized recipient changes roles or leaves an organization completely – the document will no longer open, no matter how many copies were made to hard drives, USB keys, and CDs/DVDs. This dynamic policy engine can be integrated with a content management system so the same groups/roles/permissions that protect the file inside the virtual file cabinet are persistent to the file after it leaves the repository. Further, this dynamic protcol allows documents to be remotely version controlled and even revoked. So if the primary copy changes on the server, recipients have enforced versions on the desktop. As part of the LiveCycle Enterprise Suite, rights management can be programatically integrated into structured business processes that are generating documents and reports in bulk and routing electronic forms with sensitive financial or healthcare information. The rights can also be applied in ad-hoc workflows on the desktop with two clicks, e.g. Secure -> Insider Restricted.

IT organizations know that deploying software has become more difficult. The typical DLP vendors require desktop software to enforce infromation distribution. If you are sharing sensitive information outside your organization with customers, partners, suppliers, or government agencies – good luck telling them that they need your flavor of DLP end-point monitoring software requiring administrative mode install. If an employee or outside user doesn’t have end-point software installed, they can still interact with sensitive data without your knowledge. Even with the DLP software, printing, copying & pasting, and modifying isn’t usually restricted. With rights managed files – recipients cannot open a file unless they have an application with rights management and permission to open the file from the server – which also enforces what can be done when the file is open.

Adobe’s enterprise rights management software is built into PDF with Adobe Acrobat and Adobe Reader, version 7 and higher – across OS platforms. Further, Adobe has partnered with PTC and Lattice3D so their CAD software applications are natively incorporating enterprise rights management without additional plug-ins. The upcoming release of the Adobe Integrated Runtime (AIR) is also incorporating rights management to natively protect video files in Adobe Media Player. Great for protecting training videos and employee meetings with sensitive information that should not be available to unauthorized recipients. Multifunction peripherals and devices (MFP / MFD) are also including native Adobe rights management – such as Ricoh. Even native Office and Dassault CATIA documents can be protected – but those applications do require a a separate plug-in in order to view a rights managed document.

With enterprise rights management on all these native file formats, a protected document can accidentally or maliciously travel anywhere inside or outside an organization and provide added assurances that only the authorized recipients are available to view it. So while most DLP vendors only detect and block questionable traffic at end points, enterprise rights management persistently enforces access independent of storage, independent of transport.

Electronic Signature and Secure Forms in the Insurance Industry

Karen Pauli from the Tower Group recently published a research note on progress and opportunities with electronic signatures and secure forms in the Insurance Industry.

Summary from the report:

Electronic commerce is no longer a “nice-to-have” capability. A more global business model demands that carriers adopt capabilities for moving documents electronically. Consumers are becoming less tolerant of paper-based transactions because of both the time and volume required. Insurance business processes are bound by many legal requirements, and fulfilling those requirements in a cost-effective and documented way is a critical concern for the insurance industry. The ever-increasing demand to establish competitive advantage and deal with pervasive problems related to fraud and compliance requires new and creative solutions. Electronic signature
technology has enterprise applicability to address all these issues.

Insurance carriers must transition away from traditional paper-based, wet-signature processes and adopt secure document and electronic signature technology. The technical complexity may appear daunting, but technology solutions providers and experts in the marketplace can partner with carriers to overcome this hurdle. The legal barriers have been eliminated by ESIGN and UETA enactment. The pen is now on the Web, and the time is right for carriers to reach out and grab it.

Information Classification – What does “Confidential” mean?

An important aspect of protecting critical electronic information is knowing what information needs to be protected, what doesn’t, and who are the authorized recipients. Countless organizations stamp “Confidential” at the bottom of their documents. What does that mean? Everyone inside the organization can access it, but nobody outside? Or is it only full time employees inside the organization? Or is it anyone internally plus anyone externally that has some sort of non-disclosure agreement(NDA) in place? If there isn’t a widely understood definition in place internally and externally – sensitive information is no doubt going places it shouldn’t be.

A basic system of marking documents can help. It’s often called information classification, sensitivity classification, sensitivity labels, or even data classification. A short list of tags or labels is used to define the sensitivity of the document and is tied to an intended audience. Large organizations will certainly have more than one label, but if you create too many – it becomes too confusing for a document owner or auto classification system to determine which one to use to apply and stamp on a document.

Here are a few recommended labels to get started. You might want to prefix the labels so recipients know it’s your system of classifying documents, e.g. XYZ Public, or customize them more for your organization.

1. XYZ Public. Documents that are for public consumption and have no risk to the company if they end up some place they shouldn’t. It is also usually assumed that a document that does not have a label on it – is public.

2. XYZ NDA Confidential. For documents that should be viewed only by recipients with a non-disclosure agreement.

3. XYZ Employee Confidential. For documents that should be viewed only by recipients who are employees (full or part-time). Depending on your organization, you may want to create two tags – one for full-time, one for part-time. Could be something like “XYZ Employee Confidential” and “XYZ Regular Employee Confidential”

4. XYZ Insider Restricted. For publicly held companies, there is a lot of sensitive information that cannot be disclosed externally or to the general employee community.

5. XYZ Management Restricted. For documents that should only be viewed by the senior management of an organization, and not the general employee community.

6. XYZ Board Restricted. For publicly held companies, with electronic “board books” this classification designates the board of director community.

7. XYZ Private. For documents with personally identifying information that typically includes health, financial or other personally identifiying information.

For strategic alliances or mergers & acquisitions, additional classifications should be created specific to that initiative. For example, “XYZ Project ABC”. By using a codename, the existence of the label does not expose the project itself.

A color coding scheme can also be used with these labels to help users remember what is the least confidential and most confidential of the classifications. For example, a spectrum from Green, through Blue, Yellow, Orange, to Red. Some organizations will color the label, or even the entire cover sheet of a sensitive document.

With a basic system like this in place, it’s much easier to classify information as part of a data loss prevention (DLP) strategy. Further, when you do find a document that has leaked to someplace it shouldn’t, you now have the ability to take corrective action internally or legal action internally. Otherwise, if you discover an insider or an outsider that has your sensitive information, but it isn’t marked – it will be significantly more difficult to take action if the recipient of that information can claim it wasn’t sensitive.

Some other things to think about are:

- What is the default label for all documents? Should it be Public? Or should it be Employee Confidential? Should it be set up that way for an entire organization? Or should different departments have different default classifications?

- How will you identify which internal and external users are in which classifications? Directories such as Active Directory or LDAP are a good place to store the group membership information, especially when they can contain organization reporting structures and/or roles as part of the group member lists. So instead of having to specify every employee or recipient individually, whole divisions and departments can be included and dynamically updated as the org chart changes.

- How will you enforce access to labeled information? File servers, portals, and content management systems are typically used for this tied to the directory of users and their corresponding access. You can go one step further by utilizing enterprise rights management, from a product such as Adobe LiveCycle Rights Management (formerly known as Policy Server), to persistently enforce a security classification – independent of storage and independent of transport. So after the sensitive document leaves the secure storage and/or secure transport mechanism, it maintains it’s access control at the data level. Should that document be accidentally or maliciously forwarded to someone that shouldn’t have access – the file won’t open.

- How will you mark sensitive documents? Document templates are a good way to start, including those in presentation and word processing programs. The process can become much more automated when tied to enterprise rights management. A policy from LiveCycle Rights Management can automatically apply a dynamic watermark to a document corresponding to the classification label. It can also show the name of the user that is opening the document and the data/time the document was viewed. If printing of the document is allowed (which can also be restricted) – the dynamic watermark persists onto the document as a detective control. If that physical document ends up some place it shouldn’t, you can track down how it got there.

- How will your users know who is in what classification? In addition to posting the classification labels and having an awareness campaign, the employee directory structure tied to enterprise rights management can enforce the classification labels even if the sender doesn’t know whether the recipients are allowed to view the document. For example, the insiders in an organization are typically reminded on a regular basis that they cannot trade the company stock anytime they want – and they are restricted to certain trading windows. Everyone that is identified as an insider is frequently reminded of their insider status. However a common vulnerability is that an insider may not know who all the other insiders are in a very large organization. That makes it difficult to determine when business critical information should be shared to adjust the business operations. By using an insider restricted label, tied to a directory, tied to enterprise rights management – an insider restricted document cannot be opened by someone that isn’t specifically tagged as an insider. If such a document is accidentally or maliciouslly distributed to someone – it remains secure.

- Need additional enforcements beyond just opening the document? Again, enterprise rights management provides persistent security to the document to not only restrict who can open a document, but also what they can do with it. For example, you can restrict printing, modifying, and copy & paste clipboard actions from a protected document.